Information
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
The recommended state for this setting is to include: Guests
Important: If you apply this security policy to the Everyone group, no one will be able to log on locally.
Warning: The help text in Intune associated with this recommendation is for the setting,
Deny log on as a service
and not this setting.
Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges.
Solution
To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Guests
User Rights\Deny Local Log On
Note: Include only one User or Group per line in the Settings Catalog configuration screen.
Impact:
If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that run IIS 6.0. You should confirm that delegated activities will not be adversely affected.